Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

How Many Layers Does Your Email Security Need?

At least one more layer than the attacker can defeat. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware.

Most IT people find email gateways justifiably boring. They’ve been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail.  For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you are free to think about something else. Out of sight, out of mind, right?

The only problem is, that’s likely completely wrong.

If your email gateway rarely catches your attention, it’s likely because it is so easily and completely fooled by targeted threats that it never lets out a whimper. Ask yourself this: how would you know if your email gateway was missing new custom malware?

Consider the current state of the threat environment your email gateway faces. In addition to phishing and mass malware attacks distributed via botnets -- which are pretty easy to see and interdict at the gateway -- we have targeted attacks using new malware. According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks. Targeted attacks have adapted precisely to evade traditional methods most email gateways use to try to block unknown malware, such as the following techniques:

● AV engines may miss attacks because they use new or highly obfuscated malware, for which no signature exists.

●  Spam filters may miss attacks because they are one-off, low volume, or they have few suspicious traits to analyze.

● Sender reputation filters often miss attacks that come from newly created or spoofed email addresses, or from IP addresses with no "bad" history.

● Blanket policy rules that block all unusual and risky email attachment types (such as .EXE and .LNK) cannot be used on the malicious .DOC, .PDF, .XLS, and .PPT files favored by targeted attacks, as these are common business documents.

● URL filters may miss attacks because the malicious URL is hidden inside a PDF file, or within macros hidden inside document files.

● Web scanners are sometimes evaded by sending a harmless URL, but then placing malicious code behind the URL later after it has already passed the gateway.

Even newer methods such as sandboxes are limited in their protection against targeted malware. Unfortunately, targeted malware often contains countermeasures that delay execution or prevent discovery in a virtual machine environment. 

Let’s return to the earlier question, “How would you know if your email gateway was missing new malware?” There are several methods of varying efficacy. You might have endpoint whitelisting that spots something unusual. An Endpoint Detection and Response (EDR) solution is another method growing in popularity. Perhaps you get breached and conduct a forensic investigation back to the patient-zero compromised user account, time and date.

The news isn’t all bad. There are some advanced techniques that secure email gateways can use to block obfuscated, targeted PDF and Microsoft Office docs. No single technique is completely effective, but the more of these you can leverage, the better your chances.

First off, techniques like Sender Protection Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) are designed to validate the identity of the sender, protecting against spoofed emails that appear to come from a friendly sender. However, very few organizations bother to turn these capabilities on. Be sure to use the same technologies when sending your own email.

Secondly, your gateway needs to extract and explode all the elements of an email attachment to be able to deeply analyze it for malicious intent. There could be executables and macros hidden inside office documents. There may be buffer overflow exploits hidden inside PDFs, or JavaScript inside a .ZIP file. Deep analysis rules can be applied to score all the traits of a file for risk. Risk points can be assigned for hundreds of reasons, including the presence of obfuscation techniques, encryption, known exploits, and buffer overflows. This can create a statistical picture of a file’s malicious intent and block never-before-seen malware. In many ways, this is more robust than sandboxes because it’s not dependent on a fragile environment or finicky timing of file execution. Also, the very techniques used to evade or obfuscate end up exposing the malware to deep analysis rules.

Finally, it is essential to ensure URLs are scanned at time of click. In practical terms, this means that URLs contained in emails must be rewritten with pointers that force them to go through a cloud-based web gateway whenever they are clicked upon. This ensures security scans at any time, and on any device the recipient uses to read email, including mobile devices. 

So, how many layers does your email security need?

Email is a hotbed of hacking innovation. Traditional or incompletely implemented secure email gateways make you vulnerable to targeted attacks. Organizations can improve their odds markedly by turning on little-used or newer capabilities to block targeted malware.  

You always need at least one more layer of email security than the attacker can defeat.

Related content:


Chris Harget is a 20-year veteran in the IT security industry as a product manager and product marketing manager for leading innovators such as Trustwave, Blue Coat, Citrix and McAfee. He has trained thousands of technology professionals on desktop, network, email, web and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/6/2016 | 3:33:47 PM
Re: Could you send that email again? I never got it.
Lots of useful tactics in your comment.

Blocking all attachments goes too far, for most users we talk to.

Too much of their business (with insiders and outsiders) uses email to send docs. Add in the risk of email account takeover of a trusted business partner, and they really need a way to deeply scan office docs and PDFs for new, one-off, targeted malware. 
User Rank: Ninja
6/6/2016 | 1:55:39 PM
Could you send that email again? I never got it.
Here's just a few things your email gateway should include...






Challenge / Response

Reject All File Attachments

Strip HTML

Strip URLs

Spoof Filtering

Reverse DNS Mismatch Check


GeoIP Filtering

Word based filtering

SPF Filtering


Heuristic Filtering

Bayesian Filtering

MX Lookup Verification

Mime Header Check

IP Reputation Check

Open Relay Check


Signature Matching

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/6/2016 | 12:03:45 PM
The spam industry
"According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks."

I wouldn't say that that's the only -- or even the most significant -- cause.  I think it has more to do with how the spamming industry has changed dramatically over the past six years, being whittled to a shadow of its former self by in-fighting and better enforcement.  Brian Krebs has written on this in depth in his book, Spam Nation.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).